Real estate broker sanctioned by the Romanian DPA over data breach and cookie consent violations


On 22 December 2022, the Romanian DPA announced several sanctions imposed on a real estate broker, as follows:

  • a fine of EUR 10,000 for failing to implement appropriate technical and organizational measures to ensure the security of its processing in accordance with Article 32 (4) of the GDPR;
  • warning for failing to inform data subjects regarding the data breach affecting their personal data;
  • warning for placement of cookies that were not technically necessary without the data subjects’ prior informed consent.

Following the investigation, the Romanian DPA concluded that the said controller did not implement adequate measures so that persons acting under its authority process personal data only in accordance with the controller’s instructions. The lack of such measures led to the unauthorized disclosure of over 509 individuals’ personal data, including name, surname, personal numerical code (“CNP” in Romanian), telephone number, ID card series and number, e-mail address, bank details, property purchases, marital status, amount requested, bank, and comments.

At the same time, the Romanian DPA also concluded that the controller’s website used cookie modules that were not technically necessary for the functioning of the website, without obtaining the users’ consent and without providing clear and complete information in accordance with Articles 12- 14 of the GDPR. Consequently, the said controller was found in breach of cookie consent requirements under Law No. 506/2004.

From publicly available information, this appears to be the first time since the GDPR came into force that the Romanian DPA has investigated compliance with the cookie requirements. This might indicate a shift in the Romanian DPA’s enforcement practice, signaling website owners the importance of obtaining the data subjects’ prior informed consent where applicable.

The press release is available here (only in Romanian).